{
	"id": "23cc9766-b076-4b79-9cbe-706051200786",
	"created_at": "2026-04-06T00:13:29.264806Z",
	"updated_at": "2026-04-10T03:30:32.911069Z",
	"deleted_at": null,
	"sha1_hash": "554b9bc24ceeb3b3c0ace84796982db6cac117ce",
	"title": "New AndroRAT Exploits Allow for Permanent Rooting",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56586,
	"plain_text": "New AndroRAT Exploits Allow for Permanent Rooting\r\nBy By: Veo Zhang, Jason Gu, Seven Shen Feb 13, 2018 Read time: 3 min (734 words)\r\nPublished: 2018-02-13 · Archived: 2026-04-05 16:17:06 UTC\r\nTrend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as\r\nANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent\r\ninstallation, shell command execution, WiFi password collection, and screen capture. This AndroRAT targets CVE-2015-\r\n1805, a publicly disclosed vulnerability in 2016 that allows attackers to penetrate a number of older Android devices to\r\nperform its privilege escalation.\r\nRATs have long been a commonnews- cybercrime-and-digital-threats Windows threat, so it shouldn’t be a surprise that it\r\nhas come to Android. A RAT has to gain root access — usually by exploiting a vulnerability — in order to have control\r\nover a system. Discovered in 2012, the original authors intended AndroRAT — initially a university project — as an open-source client/server application that can provide remote control of an Android system, which naturally attracted\r\ncybercriminals.\r\nintel\r\nFigure 1. Code snippet of the malware executing the exploit\r\nThis new variant of AndroRAT disguises itself as a malicious utility app called TrashCleaner, which is presumably\r\ndownloaded from a malicious URL. The first time TrashCleaner runs, it prompts the Android device to install a Chinese-labeled calculator app that resembles a pre-installed system calculator. Simultaneously, the TrashCleaner icon will\r\ndisappear from the device’s UI and the RAT is activated in the background.\r\nintel\r\nFigure 2. Icon of the malicious TrashCleaner\r\nintel\r\nFigure 3. Icon of the Chinese-labeled calculator app\r\nThe configurable RAT service is controlled by a remote server, which could mean that commands may be issued to trigger\r\ndifferent actions. The variant activates the embedded root exploit when executing privileged actions. It performs the\r\nfollowing malicious actions found in the original AndroRAT:\r\nRecord audio\r\nTake photos using the device camera\r\nTheft of system information such as phone model, number, IMEI, etc.\r\nTheft of WiFi names connected to the device\r\nTheft of call logs including incoming and outgoing calls\r\nTheft of mobile network cell location\r\nTheft of GPS location\r\nTheft of contacts list\r\nTheft of files on the device\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-androrat-exploits-dated-permanent-rooting-vulnerability-allows-privilege-escalation/\r\nPage 1 of 3\n\nTheft of list of running apps\r\nTheft of SMS from device inbox\r\nMonitor incoming and outgoing SMS\r\nApart from the original features of the AndroRAT, it also performs new privileged actions:\r\nTheft of mobile network information, storage capacity, rooted or not\r\nTheft of list of installed applications\r\nTheft of web browsing history from pre-installed browsers\r\nTheft of calendar events\r\nRecord calls\r\nUpload files to victim device\r\nUse front camera to capture high resolution photos\r\nDelete and send forged SMS\r\nScreen capture\r\nShell command execution\r\nTheft of WiFi passwords\r\nEnabling accessibility services for a key logger silently\r\nTargeting CVE-2015-1805\r\nGoogle already patched CVE-2015-1805 in March 2016, but devices that no longer receive patches or those with a long\r\nrollout period are at risk of being compromised by this new AndroRAT variant.  Older versions of Android, which are still\r\nbeing used by a significant number of mobile users, may still be vulnerable.\r\nCountermeasures\r\nUsers should refrain from downloading apps from third-party app stores to avoid being targeted by threats like AndroRAT.\r\nDownloading only from legitimate app stores can go a long way when it comes to device security. Regularly updating your\r\ndevice’s operating system and apps also reduce the risk of being affected by exploits for new vulnerabilities.\r\n[Read: Secure your mobile device through these easy stepsnews article]\r\nEnd users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile\r\nSecurity for Android™products, which is also available on Google Play. For organizations, Trend Micro™ Mobile\r\nSecurity for Enterpriseproducts provides device, compliance and application management, data protection, and\r\nconfiguration provisioning. It also protects devices from attacks that leverage vulnerabilities, prevents unauthorized access\r\nto apps, and detects/blocks malware and fraudulent websites.\r\nTrend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and\r\nmachine learning technologies. The service protects users against malware, zero-day and known exploits, privacy leaks,\r\nand application vulnerability.\r\nWe disclosed our findings to Google and worked with them on further analyzing the apps that carried the new AndroRAT\r\nvariant. Google said that the abovementioned apps were never on Google Play, and that they already incorporated\r\ndetection for CVE-2015-1805 into their compatibility tests. Ideally, any device launched or updated after April 2016 will\r\nnot be vulnerable.\r\nIndicators of Compromise (IoCs)\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-androrat-exploits-dated-permanent-rooting-vulnerability-allows-privilege-escalation/\r\nPage 2 of 3\n\nSHA256 App Label Package Name\r\n2733377c14eba0ed6c3313d5aaa51171f6aef5f1d559fc255db9a03a046f0e8f TrashCleaner com.cleaner.trashcleaner\r\nfde9f84def8925eb2796a7870e9c66aa29ffd1d5bda908b2dd1ddb176302eced TrashCleaner com.cleaner.trashcleaner\r\n2441b5948a316ac76baeb12240ba954e200415cef808b8b0760d11bf70dd3bf7 TrashCleaner com.cleaner.trashcleaner\r\n909f5ab547432382f34feaa5cd7d5113dc02cda1ef9162e914219c3de4f98b6e TrashCleaner com.cleaner.trashcleaner\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/new-androrat-exploits-dated-permanent-rooting-vulnerability-allows-privilege-escalat\r\nion/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-androrat-exploits-dated-permanent-rooting-vulnerability-allows-privilege-escalation/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/new-androrat-exploits-dated-permanent-rooting-vulnerability-allows-privilege-escalation/"
	],
	"report_names": [
		"new-androrat-exploits-dated-permanent-rooting-vulnerability-allows-privilege-escalation"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434409,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/554b9bc24ceeb3b3c0ace84796982db6cac117ce.pdf",
		"text": "https://archive.orkl.eu/554b9bc24ceeb3b3c0ace84796982db6cac117ce.txt",
		"img": "https://archive.orkl.eu/554b9bc24ceeb3b3c0ace84796982db6cac117ce.jpg"
	}
}